I have created a simple spyware on which whenever a form is submitted on any website, it will serialize the form data then send the data to my email address.

I am only currently using it on my own devices in which whenever someone(friends/family/etc.) borrows my device, I just threaten them that I will be able to get their passwords by just using my device.

I am planning to release it on GitHub with MIT License. Will I have a responsibility on how others will use it? Will I get sued for creating it?

What is the purpose of releasing the program?
– BrandinOct 12 '18 at 4:29

1

It really depends on how you market it. If you market it as a way to steal people's information, you'll be making a far more risky choice than if you release it as a tool for security analysis and antivirus testing.
– forestNov 18 '18 at 8:18

3 Answers
3

Your code is considered free speech (Bernstein v. United States) and you have allowed the use of the code via the MIT license. Since the application of your code is very generic and is not specifically targeting anyone. You probably are not criminally liable.

This is simply writing a "Proof of Concept" for security testing purposes. That same way Metasploit, Nessus, and Nmap have actual exploit code but are considered tools of the trade.

Now if you go around using your spyware on non consenting victims. You might get a visit from some people with guns and badges that have 3 letters on them.

Are you certain that Bernstein is good law? Did you Shepardize it? What is generic code? How can something be very generic? Is that like very unique? What's the relevance of specifically targeting anyone? Does malicious spyware specifically target anyone?
– Wm Wolff - Law Exam GuidesAug 26 '19 at 3:52

The relevance of specifically targeting anyone or group of users is that you are attacking nonconsenting victims vs someone who agrees to your TOS. In this context, his TOS is the verbal warning he is giving to people using his phone. Malicious spyware CAN/MAY target specific people. Either people of a specific country, or users of a particular app, or a specific person who is the target of any campaign. But it is always targeting a something/someone/somegroup.
– Digital fireAug 29 '19 at 16:00

Without consideration for the specifics, as a software engineer with a law degree, I don't worry about what might happen with something I made if it was abused by someone else. The classic case is a gun. If you sell a gun to someone, you aren't liable if he kills someone (unless your involvement was more than just selling the gun).

Given that it's open source, it would be easy to detect and fix. So it doesn't pose much threat, unless it's something spectacular. If it's something spectacular, you'll hear from people who want to hire you.

It is hard to see much in the way of legitimate use for such a program. Since it is predictable that it would be used for improper purposes by at least some users, you could possibly be liable if such improper use causes damage. Why do you want to release it, and what legitimate use do you envision others having for it? (Note that the threats you suggest are probably not legit, even if someone has borrowed a device with your permission but not returned it in a timely way.)

@Sam Judge: To release code snippets which show in general how to do this may serve an educational purpose. To release a fully-functional turnkey app for the purpose, not so much, in my view.
– David SiegelOct 17 '18 at 16:58

1

@DavidSiegel As someone who works in the information security field, I can confidently say that there are a large number of potentially valid uses for a program, no matter how seemingly malicious. One example is for testing various mitigations, which requires genuinely malicious software. Another would be a pentesting job, where you infect the computers of a business which has paid you to attack them (and written up a detailed contract saying what you can and cannot do) in order to help them fix the weaknesses. Open sourcing the malware used can help the pentesting profession.
– forestNov 18 '18 at 8:13

A real life example is the extremely popular Metasploit framework, a set of programs complete with fully weaponized malware and provisions to easily design, deploy, and communicate with malware. It has functionality to attempt to bypass antivirus software and make reverse engineering or analysis difficult. It is capable of launching remote exploits against websites, as well as making it easy to plug in your own exploits. It basically sounds like a system with absolutely no legitimate use. And yet... it's the #1 open source tool for a large number of penetration testers and security analysts!
– forestNov 18 '18 at 8:16

Yeah, exploit code is released all the time and its legal. This answer is wrong.
– PutviApr 15 '19 at 19:18

Law Stack Exchange is for educational purposes only and is not a substitute for individualized advice from a qualified legal practitioner. Communications on Law Stack Exchange are not privileged communications and do not create an attorney-client relationship.